[RESOLVED] Session Question

brendan2b

Ok so i have a login page... with a form for users to login. It sends the data to login_check.php which processes it using sessions and either sends the user to members.php or loginfailed.php depending on the number of rows in the table that comes back from my query (0 or 1).

There is one problem however. I tried to include the same security code for my members.php page so that when you close your browser, and open it back up by typing in www.mydomain.com/members.php it will take you to the login page because the session doesnt really exist yet. What code do I need to put on the top of the members page in order to insure that they cannot just type that url and that it will automatically put them at the login page. Much help is needed. Here is the php for the following files.

login.php

<html>
<form action="login_check.php" method="post" onSubmit="MM_validateForm('username','','R','password','','R');return document.MM_returnValue">
<span class="style23">username:</span>

<input type="text" name="username" size=20>
<br>
<br>
<span class="style23">password:</span>

<input type="password" size=20 name="password">
<br>
<br>
<input type="submit" value="Login">
<br>
<br>
<br>
<span class="style25">Not a member? <a href="register.php">Register</a> Now it's free!
</span>
</form>
</html>

login_check.php

include('dbconnect.php');

session_start();

// username and password sent from login form
$username=$POST['username'];
$password=$POST['password'];
$SESSION['username']=$username;
$SESSION['password']=$password;

$sql="SELECT * FROM user_information WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $Email and $Password, table row must be 1 row

if($count==1){
// Register $Email, $Password and redirect to file "login_success.php"
$SESSION['username'];
$SESSION['password'];
header("location:members.php");
}
else {
header("location:loginfailed.php");
}
?>

members.php

What im asking is what code do i put at the top of the members page to ensure that they have to login, so it will automatically take them to the login page.

Thanks if you can help.

liquorvicar

I usually achieve this with a BOOLean stored in the session.

$_SESSION['logged_in'] = true;

You can then check at the top of every relevant page.

if (!isset($_SESSION['logged_id']) || $_SESSION['logged_id']!==true) {
   header('Location: login.php');
   die();
}

btw, try and use the board's PHP tags when you post code, it makes it much easier to read.

And this:

$username=$_POST['username'];
$password=$_POST['password'];
$_SESSION['username']=$username;
$_SESSION['password']=$password;


$sql="SELECT * FROM user_information WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

is very insecure as is. At the very least you should use mysql_real_escape_string() to avoid SQL injection.